Updated Privacy Policy: EU-U.S., UK, Swiss-U.S., U.S., and LATAM Compliance Frameworks (Data Processor Role)

Effective Date: November 1st, 2024
Last Updated: December 12th, 2024

Moonflow LLC (“we,” “our,” “us”) acts as a data processor, processing personal data on behalf of our customers (the data controllers). This Privacy Policy outlines our commitment to protecting personal data in compliance with the EU-U.S.

1. Notice

 

Moonflow LLC processes personal data strictly in accordance with our customers’ instructions and applicable laws. We do not determine the purposes or means of processing; this is the responsibility of our customers (data controllers). The personal data processed may include:

  • Contact Information: Name, email address, phone number.
  • Account Information: Usernames, billing information.
  • Behavioral Data: Usage patterns, preferences.
  • Sensitive Data: Processed only with explicit consent as instructed by our customers.

Data Retention

We retain personal data only as required by our agreements with customers or applicable legal obligations. Upon termination of the agreement or upon request by the customer, personal data is securely deleted or returned, unless retention is required by law.

If you have questions regarding how your data is processed, please contact the data controller (our customer) directly. If you have questions about this Privacy Policy, you may contact us:

Email: jr@moonflow.ai
Mailing Address: 30 N Gould St, Sheridan, Wyoming, 82801, USA

2. Scope of Coverage

 

This policy is exclusively focused on non-human resources (non-HR) data. Our organization affirms that it covers only personal data that is not associated with HR activities.

3. Choice

 

Moonflow LLC follows the instructions of our customers regarding the rights of data subjects, including:

  • Providing access to personal data.
  • Handling requests to restrict or object to processing.
  • Addressing opt-out requests (e.g., for CCPA or LGPD).
  • Managing withdrawal of consent for processing sensitive personal data.

Opt-Out and Consent Withdrawal

If you wish to exercise these rights, please contact the data controller (our customer) directly. Moonflow LLC supports our customers in fulfilling these requests as part of our data processing agreement.

4. Accountability for Onward Transfer

 

Moonflow LLC may share personal data with subprocessors as required to deliver our services. Subprocessors are bound by contracts ensuring they:

  • Process data only as instructed by Moonflow LLC and our customers.
  • Adhere to the same level of data protection required by applicable regulations.

We may share your personal information with third-party service providers and partners to assist in providing services to you, such as customer support, among others.

International Data Transfers

Moonflow LLC ensures compliance with international data transfer regulations through mechanisms such as:

  • Standard Contractual Clauses (SCCs).
  • Adequacy decisions.
  • Other lawful means.

The list of our subprocessors is available and is provided to customers in accordance with our agreements; the following are the 3rd parties involved;

  • Amazon Web Services, Inc (more information at https://aws.amazon.com/). Personal data may be processed when handling user data, customer information, or any interactions made on our platform hosted on AWS. This processing complies with GDPR, including securing data storage and respecting user privacy rights.
  • Google LLC (more information at https://cloud.google.com). Google services (such as Google Analytics, Google Ads, and Google Cloud) are used for collecting user data related to website usage, advertising, or cloud-based applications. Data collected may include browsing activity, location, and user interactions.
  • OpenAI LP(more information at https://openai.com/). OpenAI processes data when users interact with AI models, like ChatGPT. Personal information, conversational data, and usage patterns may be logged for improving model performance, troubleshooting, or analytics.

Our Accountability
As part of our commitment to the Data Privacy Framework (DPF) Principles, we ensure that any third party we share your personal information with adheres to similar levels of data protection and security as required by the DPF Principles.

Our Liability
We remain responsible for ensuring your personal information is processed in compliance with the DPF Principles, even when handled by third parties acting on our behalf. If such third parties fail to comply with these obligations, we are liable for their actions unless we can demonstrate that we were not responsible for the event leading to the damage.

This means that we will take appropriate steps to resolve any issues that arise from the misuse of your personal information by a third party working on our behalf."

Your Rights
If you believe your personal information has been misused or improperly handled, you can contact us directly at jr@moonflow.ai. You also have the right to escalate the matter to an independent dispute resolution body or relevant regulatory authority as outlined in the Recourse, Enforcement, and Liability section below.

5. Security

 

Moonflow LLC implements robust technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest.
  • Access controls to prevent unauthorized access.
  • Regular audits and security assessments.

We comply with applicable data protection laws, including GDPR, LGPD, and CCPA, in securing personal data.

6. Access

 

As a data processor, Moonflow LLC does not directly respond to data subject access requests. However, we support our customers in fulfilling such requests, including:

  • Providing access to personal data.
  • Assisting with corrections, amendments, or deletions.
  • Enabling portability of data where applicable (e.g., under LGPD or GDPR).

If you wish to exercise these rights, please contact the data controller directly. Moonflow LLC will assist the data controller in responding to your request as required by law.

The right of individuals to access their personal data is a fundamental part of the General Data Protection Regulation (GDPR), which governs the processing of personal data across the European Union (EU). Article 15 of the GDPR outlines the Right of Access, ensuring that individuals have the ability to request and obtain access to their personal data that is being processed by an organization.

Right of Access explained:

  1. Right to Access Personal Data:
    • Under the GDPR, individuals (data subjects) have the right to request confirmation from a data controller about whether or not their personal data is being processed.
    • If the data is being processed, individuals have the right to access a copy of the data as well as additional information regarding the processing.
  2. What Information Can be Accessed?: When individuals exercises their right of access, they are entitled to obtain:
    • The personal data that is being processed.
    • The purposes of the processing.
    • The categories of data being processed.
    • The recipients or categories of recipients to whom the data has been or will be disclosed (e.g., third parties, recipients in other countries).
    • The period for which the data will be stored or the criteria used to determine that period.
    • The existence of the right to request rectification, erasure, or restriction of processing.
    • The right to lodge a complaint with a supervisory authority (such as the national data protection authority).
    • Information about the source of the data, if it was not collected directly from the individual.
  3. How to Request Access: Individuals must make a clear request to the organization (the data controller) to exercise their right of access. This can be done in writing or via other means as provided by the organization (such as an online form). The organization must respond within one month of receiving the request. In some cases, this period can be extended by an additional two months if the request is complex or numerous.
  4. No Charge for the Request: In most cases, accessing personal data is free of charge. However, if the request is manifestly unfounded or excessive (e.g., if the individual has made repeated requests), the organization can charge a reasonable fee based on administrative costs or refuse to comply with the request.
  5. Exceptions: While the right to access is quite broad, there are certain exceptions where access may be limited or denied, such as:
    • If it adversely affects the rights and freedoms of others (e.g., revealing someone else’s personal data).
    • If the request is related to ongoing legal proceedings, providing access could interfere with those proceedings.
    • If providing access would compromise national security or the prevention of crime.
  6. Providing the Data: When the data is requested, the data controller must provide it in a structured, commonly used, and machine-readable format. If the individual asks for it, the controller must also provide the data in a format that allows it to be transferred to another service provider (this is the data portability aspect of GDPR).
  7. Transparency and Communication: Organizations are also required to be transparent about their data practices and should inform individuals about their right to access their personal data. This information should be included in privacy policies, which must be clear, easily understandable, and readily accessible to users.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Moonflow LLC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

7. Data Integrity and Purpose Limitation

 

Moonflow LLC processes personal data only as instructed by our customers. We do not use personal data for purposes beyond those specified by the data controller. We assist our customers in ensuring data accuracy, completeness, and relevance as required by applicable regulations.

The General Data Protection Regulation (GDPR), informing individuals about their choices and the means available to them for limiting the use and disclosure of their personal data is a key requirement for ensuring transparency and respecting their rights. Here’s how you can address this obligation:

Choices about limiting the use and disclosure of their personal data

  1. Consent Withdrawal. Choice: Withdraw their consent at any time, for any specific purpose they initially agreed to.
  2. Profiling and Automated Decisions. Choice: Limit or refuse consent to automated decision-making or profiling that has a legal or significant impact.
  3. Data Minimization. Choice: Limit the scope of the data provided, only sharing what is absolutely necessary for the service or transactions.
  4. Cookie and Tracking Preferences. Choice: Ability to manage or opt-out of cookies and tracking technologies on our website.

8. Automated Decision-Making

 

Moonflow LLC does not engage in automated decision-making processes that produce legal or similarly significant effects. Any such processing would only occur under explicit instruction from our customers.

9. Recourse, Enforcement, and Liability

 

Moonflow LLC commits to assisting our customers in resolving complaints related to data protection. If you have a concern or dispute regarding your personal data, please contact the data controller (our customer). Moonflow LLC will support the data controller in addressing the complaint in accordance with applicable laws.

In cases where personal data is transferred to third parties. All data shared or forwarded to other entities (such as vendors, partners, or service providers), still be liable for ensuring that the data is handled securely and in accordance with privacy laws or regulations. 

  • Transparency: Individuals will be informed about the potential for onward transfers of their personal data to third parties, such as service providers or business partners.
  • Liability: Moonflow LLC may state that it remains liable for ensuring that any onward transfers comply with applicable data protection laws (e.g., GDPR, CCPA), and that third parties will also be bound by similar privacy obligations. 
  • Data Protection: Even though data is being transferred to third parties, Moonflow LLC will ensure that appropriate safeguards are in place to protect your personal data. 
  • Third-Party Obligations: Third parties receiving the data are required to adhere to the same data protection standards. 
  • Rights and Remedies: Individuals may be informed that they retain rights to take action against the organization if their data is mishandled, even if the data was transferred to third parties. 

If unresolved, the following mechanisms apply:

  • EU/UK Individuals: Relevant Data Protection Authorities (DPAs) or the UK Information Commissioner’s Office (ICO).
  • Swiss Individuals: The Swiss Federal Data Protection and Information Commissioner (FDPIC).
  • LATAM Individuals: Relevant national data protection authorities, such as Brazil’s ANPD or Mexico’s INAI.

10. Dispute Resolution and Binding Arbitration

 

In the event of a dispute arising from or relating to this Privacy Policy, or any violation of its terms, you (the individual) may be able to invoke binding arbitration to resolve any matter, under the following conditions:

  1. Arbitration Requirement: If a dispute cannot be resolved through informal negotiations, you agree to submit the matter to binding arbitration rather than pursuing litigation in court.
  2. Scope: This arbitration provision applies to disputes related to the use of our services, data processing practices, and any matters arising under this Privacy Policy.
  3. Conditions: Binding arbitration will only be invoked under certain conditions, and we may first attempt to resolve the issue through negotiation, mediation, or another mutually agreeable process.
  4. Arbitration Rules: The arbitration will be conducted by EU Data Protection Authorities (DPAs) under their rules, which will be binding upon both parties.
  5. Exclusions: This arbitration provision does not apply to certain claims, including those where binding arbitration is not permitted under applicable law, or if you opt out in accordance with the procedure outlined below.
  6. Opting Out: You may opt out of this arbitration provision within [X] days of agreeing to this Privacy Policy by sending written notice to [insert contact information]. If you opt out, the dispute may be resolved through litigation in the appropriate court, rather than arbitration.
  7. Class Action Waiver: You agree that any disputes or claims will be resolved individually, and you waive your right to participate in any class action, representative action, or similar legal proceeding.

11. Disclosure of Personal Information to Public Authorities

 

We may disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. This includes:

  1. Compliance with Legal Obligations: We are required to share personal data when mandated by law, such as responding to court orders, subpoenas, or other legal processes.
  2. National Security and Law Enforcement: In certain circumstances, we may share personal information with public authorities to comply with national security or law enforcement requirements, in accordance with applicable laws and regulations.
  3. Transparency: Where legally permitted, we will take reasonable steps to notify you of such disclosures and the nature of the request, unless prohibited by law.
  4. Data Protection: We ensure that all requests are thoroughly reviewed and comply with applicable legal and privacy standards before disclosing personal data.

If you have questions about how we handle lawful requests for data, please contact us at jr@moonflow.ai

12. Verification

 

Moonflow LLC verifies compliance with applicable data protection frameworks through self-assessment and external compliance reviews, as required by agreements with customers or regulators.

13. Changes to This Privacy Policy

 

We may update this Privacy Policy to reflect changes in our practices or legal obligations. Updates will be communicated to our customers and posted on our website with the revised effective date.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Moonflow LLC commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Moonflow LLC at:


Email: jr@moonflow.ai
Mailing Address: 30 N Gould St, Sheridan, Wyoming, 82801, USA

This Privacy Policy reflects our role as a data processor and our commitment to supporting our customers’ compliance with global data protection frameworks, including GDPR, LGPD, CCPA, and others.

Moonflow LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Moonflow LLC has been certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Moonflow LLC has been certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

The Federal Trade Commission has jurisdiction over Moonflow LLC’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). We adhere to the EU-U.S. DPF Principles with regard to personal data transferred from the European Union and the United Kingdom and the Swiss-U.S. DPF Principles with regard to personal data transferred from Switzerland.

Please be aware that your information may be subject to oversight or review by a federal agency, in accordance with applicable laws and regulations. While we take steps to ensure the confidentiality and security of your data, we cannot guarantee that oversight by regulatory authorities will not occur.